Switch – DHCP server on Switch or on Router

dhcprouterswitch

I have a DHCP server set up on a L3 24port switch that connects to multiple routers that different clients connect to (hotel room scenario). With the dhcp on the switch everyone can see who is connected to the entire network if they look.

I only want devices connected to the same router to be able to see each other. (Can/should it be done from the L3 dhcp switch) or is it best to have dhcp done from the router?

Best Answer

If all you want to achieve is separate users from each other you can try setting Private VLAN or port isolation. This way each port can only communicate with gateway (uplink port). With such setup it does not matter whether DHCP server is directly on switch or external, but for flexibility reasons it is better to be external and just configure dhcp relay on switch to forward all requests to dhcp server.

Also if switch support "gleaning" to see DHCP transactions or DHCP lease query (RFC4388) it can even block all attempts of users to use unathorized IP addresses. For example on Mikrotik equipment you can use embedded DHCP server to put all DHCP clients into ARP tables directly and by turnning off arp responses it can force clients to only use DHCP assigned addresses.

This is theory. In practice it all depends on the actual hardware and software involved. By giving more info we can give you better answers with examples.

Related Solutions

Changing the DHCP server

Will confusion reign on the LAN?

Generally, no. The machines that have addresses will still have them, until their lease expires. I'm not sure how smart the Westel DHCPd is, but most will verify an address is not in use before assigning it. You can avoid any possible collisions by setting each router to use a different range of addresses: router 1 -- 192.168.1.100-149, router 2 -- 192.168.1.150-199. When new machines come online or old leases expire, they'll get an address from the currently active router.

(Just remember to not set any host to 100-199.)

Vlan – IPv6 DHCP Server vs Router

IPv6 has more options for configuring addresses than IPv4. The process works as follows:

A new client joins the network and sends a Router Solicitation (RS)
Each router (can be multiple) sends a Router Advertisement (RA)
- This happens both on request (when receiving an RS) as well as periodically
The RA contains a lot of information on how the network is run:
- If the router sending the RA can be a default gateway, and for how long
- Telling clients if there is a stateless (not giving out addresses, only providing extra information like DNS settings) DHCPv6 server on the network (the O=other flag)
- Telling clients if there is a stateful (like in IPv4) DHCPv6 server on the network (the M=managed flag)
- Telling clients about the prefixes in use on the network
  - For each prefix: tell the clients if they can auto-configure an address by themselves (the A=autoconf flag)
- And possibly lots of other stuff

If you want to run a fully managed network where the DHCPv6 server manages all the addresses (and please think why you want this before choosing it, if you don't use the information in the DHCPv6 server then letting clients configure their own addresses is much easier) then the router has to turn off the A (autoconf) flag for every prefix it announces and turn on the M (managed) flag so that clients know that they are not allowed to choose their own addresses but that there is a DHCPv6 server available to help them.

This is how to do that on a Cisco router:

; Go to the interface configuration
interface FastEthernet0/0
  ; Tell clients that auto configuration is not allowed
  ; This changes the default parameters.
  ; You have to specify the timers, so I use the standard values
  ipv6 nd prefix default 2592000 604800 no-autoconfig
  ;
  ; Tell the clients that there is a stateful DHCPv6 server available
  ipv6 nd managed-config-flag

; Repeat this for every (sub)interface where you want to force clients to use DHCPv6.

Also note: You need those RA packets. DHCPv6 only provides information, and optionally addresses. It does not provide a default gateway. That is done using RA. The idea here is that routers usually have better information on routing and gateways than DHCP servers, with the added benefit that you can have multiple routers on one subnet acting as default gateways with clients load balancing between them etc.

Best Answer

Related Solutions

Changing the DHCP server

Vlan – IPv6 DHCP Server vs Router

Related Topic